Transport-aware IP routers: a built-in protection mechanism to counter DDoS attacks

摘要

The lack-of service differentiation and resource isolation by current IP routers exposes their vulnerability to Distributed Denial of Service (DDoS) attacks (Garber, 2000), causing a serious threat to the availability of Internet services. Based on the concept of layer-4 service differentiation and resource isolation, where the transport-layer information is inferred from the IP headers and used for packet classification and resource management, we present a transport-aware IP (tIP) router architecture that provides fine-grained service differentiation and resource isolation among different classes of traffic aggregates. The tIP router architecture consists of a fine-grained Quality-of-Service (QoS) classifier and an adaptive weight-based resource manager. A two-stage packet-classification mechanism is devised to decouple the fine-grained QoS lookup from the usual routing lookup at core routers. The fine-grained service differentiation and resource isolation provided inside the tIP router is a powerful built-in protection mechanism to counter DDoS attacks, reducing the vulnerability of Internet to DDoS attacks. Moreover, the tIP architecture is stateless and compatible with the Differentiated Service (DiffServ) infrastructure. Thanks to its scalable QoS support for TCP control segments, the tIP router supports bidirectional differentiated services for TCP sessions.